Tuesday, April 12, 2011

Dropbox client - Security issue

When examining the Windows client, a serious security hole in the service's handling of the Dropbox account access data. Credentials only need to be entered once, during installation. The installation process generates an authentication token, the host_id, which is subsequently stored in the config.db file in the

%APPDATA%\Dropbox

directory on a local hard disk.

The host_id isn't tied to the system it was generated on and can, therefore, be transferred to any other system. This potentially allows a trojan to extract the config.db file and obtain unauthorised access to a user's stored Dropbox files. Such accesses don't register as additional systems because apparently when the new, unauthorised system connects to the Dropbox service, the host_id makes it appear to be the original system. There is no prompting for credentials and no machines are added to the list of systems that Dropbox is synchronising.

Changing passwords, the usual way of preventing users from continued access, does not work, as the host_id remains valid after the change. The host_id can be revoked by going to www.dropbox.com/account and selecting "My Computers" and "Unlink" for any compromised system.